DOCUMENT RESUME 



ED 400 759 
TITLE 

INSTITUTION 
PUB DATE 
NOTE 

PUB TYPE 

EDRS PRICE 
DESCRIPTORS 



IDENTIFIERS 
ABSTRACT 

29 State-’operated campuses. Campuses of the SUNY system each operate 
and manage their own telephone systems. Campuses may own or lease 
their own telephone system called a private branch exchange (PBX) . A 
PBX makes a campus a miniature telephone company with the ability to 
add and delete telephone stations, select calling options, and 
account for calls. The telecommunications departments on SUNY 
campuses are responsible for monitoring system use and seeking 
monetary recoveries from faculty, staff, administrators, and students 
for all private use. The State Comptroller audited the internal 
controls that SUNY System Administration and the campuses maintain 
over the campus PBX systems for the period April 1, 1993 through 
August 31, 1995. Visits were made to eight campuses. It was found 
that some campuses lack adequate formal telephone policies, that 
appropriate restrictions were not in place limiting international 
calls, and that follow-up was lacking in pursuit of reimbursement for 
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Executive Summary 

State University of New York 

Controls Over Telephone Systems at Selected 

Campuses 



Scope of Audit The state University of New York (SUNY) consists of 29 State-operated 

campuses, five State-funded colleges at Cornell and Alfred, and a System 
Administration. System Administration provides direction and leadership 
for the SUNY system. Each campus manages all aspects of campus 
operations. 

Each campus operates and manages its own telephone system. A campus 
may own a private branch exchange (PBX) or lease a system from a 
public telephone company. Currently, 22 campuses own a PBX. A 
PBX makes the campus a miniature telephone company with the ability 
to add and delete telephone stations, select calling options and account 
for calls. The telecommunications departments on the campuses supply 
telephone services for the campuses, and are responsible for monitoring 
system use and seeking monetary recoveries, where appropriate, for 
personal and non-State calls. The State Comptroller’s accounting records 
show that SUNY spends about $20 million annually on campus-wide 
telephone costs. 

Our audit addressed the following questions relating to controls over 
PBX systems at selected campuses: 

• Has SUNY established adequate controls over access and use of 
the PBX systems? 

• Are reasonable efforts made to recover costs for personal and 
non-State telephone usage? 



Audit Observations We visited the telecommunications departments of 8 of the 22 SUNY 

Und Conclusions campuses that own PBX systems to determine the extent to which the 

campuses have implemented an internal control system over their PBX 
systems. We found there are varying degrees of control in place among 
the campuses visited. Many of the campuses we visited do not have 
adequate internal controls in place, and each needs to improve its 
collection efforts relating to personal and non-State calls. 

For example, four campuses do not have an adequate inventory of 
telephone extensions, and five campuses do riot monitor telephone use 
records on a periodic basis to detect patterns of abuse. Four campuses 





do not limit access to their PBX systems from outside lines to prevent 
unauthorized access. During a three-month period, one campus was 
billed $875 for 1,109 calls for which the campus could not identify the 
source. Some Campuses do not block toll calls made to certain area 
codes, even though such calls are a potential source of abuse. Our 
report contains additional examples of the need to improve controls over 
the PBX systems. In addition, the report contains an exhibit summariz- 
ing the status of controls for each of the eight campuses visited, (see 
pp. 3-6 and Exhibit A) 

Seven of the eight campuses we visited have a system for identifying 
non-State and personal calls. However, these systems vary in their 
effectiveness. Some campuses use specific control codes to identify 

personal calls; other campuses rely on the honor system to identify 

personal calls. The eighth campus has no system to identify personal or 
non-State calls and makes no effort to recover the cost of these calls. 
We found that in most cases the telecommunications departments are 
doing their part in providing the billing information to each department 
and administrative entity; however, some campuses choose not to enforce 
collection. We found that whether or not a campus seeks reimbursement 
for personal phone calls depends on the attitude of its upper manage- 
ment. One campus provided us with documentation to support payment 
of 526 of the 528 calls that we identified as personal in nature. 

However, these calls were not paid for until after we sent our request 

for an explanation of the calls. One individual made 24 calls to China 
during the three-month review period. These were personal calls that the 
individual had not paid for prior to our audit. After our visit to the 
campus, the individual submitted a check for $1,100 to cover the cost 
of his calls, (see pp. 6-9) 

We believe fliere is a need for more involvement by System Administra- 
tion in ensuring campuses have adequate safeguards over their telephone 
systems. Our report includes recommendations to improve controls over 
campus telephone systems, including the collection of payments for 
personal and non-State calls. 


Response of SUNY 
Officials to Audit 


SUNY officials at certain campuses concur with our recommendations and 
are taking steps to implement them. Officials at other campuses believe 
their current control systems are adequate. SUNY System Administration 
officials state that it is the responsibility of each campus to establish 
adequate controls. 
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Response of SUNY Officials to Audit 



Introduction 



Background 


The State University of New York (SUNY) consists of 29 State-operated 
campuses, five State-funded colleges at Cornell and Alfred, and a System 
Administration. A 16-member Board of Trustees sets SUNY policy, and 
System Administration provides direction and leadership for the SUNY 
system. Each campus manages all aspects of campus operations. 

Campuses of the SUNY system each operate and manage their own 
telephone systems. Campuses may own their own telephone system, 
called a private branch exchange (PBX), or lease a system from a public 
telephone company. Currently, 22 campuses own PBXs. A PBX makes 
the campus a miniature telephone company with the ability to add and 
delete telephone stations, select calling options and account for calls. 

The telecommunications departments on SUNY campuses supply 
telephone services for the campuses, and are responsible for monitoring 
system use and seeking monetary recoveries from faculty, staff, students 
and administrators, as appropriate, for personal calls. The telephone 
system is also used by non-State entities on campus, such as the 
Research Foundation. The telecommunications departments are 

responsible for recovering the cost of all services provided to such 
entities. 

The State Comptroller’s accounting records show that SUNY spends 
about $20 million annually on campus-wide telephone costs. These costs 
include system costs, personnel costs and telephone usage costs. Five 
of the eight campuses we visited during our audit spent about $475,000 
on long distance telephone calls during a three-month period. 


Audit Scope, 
Objectives and 
Methodology 


We audited the internal controls that SUNY System Administration and 
the campuses maintain over the campus PBX systems for the period 
April 1, 1993 through August 31, 1995. The objectives of our 
performance audit were to determine whether SUNY has established 
adequate controls over access and use of the PBX systems and to 
determine whether reasonable efforts are being made to recover costs for 
personal and non-State phone usage. To accomplish these objectives, we 
visited the telecommunications departments at eight campuses: Albany, 
Brooklyn, Cobleskill, New Paltz, Plattsburgh, Purchase, Stony Brook and 
Utica. At each location we reviewed control procedures, interviewed 
management staff, and examined and tested relevant transactions and 
records. Our audit did not include a review of student billings. 



We conducted our audit in accordance with generally accepted govern- 
ment auditing standards. Such standards require that we plan and 
perform our audit to adequately assess those operations of SUNY which 
are included within our audit scope. Further, these standards require 
that we imderstand SUNY’s internal control structure and its compliance 
with those laws, rules and regulations that are relevant to SUNY’s 
operations which are included in our audit scope. An audit includes 
exainining, on a test basis, evidence supporting transactions recorded in 
the accounting and operating records and applying such other auditing 
procedures as we consider necessary in the circmnstances. An audit also 
includes assessing the estimates, judgments, and decisions made by 
management. We believe that our audit provides a reasonable basis for 
our findings, conclusions, and recommendations. 

We use a risk-based approach to select activities to be audited. This 
approach focuses our audit efforts on those operations that have been 
identified through a preliminary survey as having the greatest probability 
for needing improvement. Consequently, by design, finite audit 
resources are used to identify where and how improvements can be 
made. Thus, little audit effort is devoted to reviewing operations that 
may be relatively efficient and effective. As a result, our audit reports 
are prepared on an “exception basis.” This report, therefore, highlights 
those areas needing improvement and does not address activities that may 
be functioning properly. 



Response of SUNY a draft copy of this report was provided to SUNY officials for their 

Officials to Audit review and comment. Their comments have been considered in 

preparing this report and are included as Appendix B. 

Within 90 days after final release of this report, as required by Section 
170 of the Executive Law, the Chancellor of the State University of New 
York shall report to the Governor, the State Comptroller, and the leaders 
of the Legislature and fiscal committees, advising what steps were taken 
to implement the recommendations contained herein, and where 
recommendations were not implemented, the reasons therefor. 
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Controls Over Telephone Systems 



An effective system of internal control provides reasonable assurance that 
all assets are safeguarded against waste, loss, unauthorized use and 
misappropriation. Division of the Budget (DOB) guidelines require that 
State-furnished telephone equipment and services be used solely for the 
performance of official State business, except in an emergency. In 
addition. Volume XI, Section 7.0300 of the New York State Accounting 
System User Procedure Manual requires that agencies collect the amount 
of all toll charges for all personal long distance telephone calls. We 
foirnd that many of the campuses we visited have weak internal controls 
and that reimbursement is not made for many of the personal calls. 



Adequacy of 
Internal Controls 



• Establishing documented policies and procedures which instruct 
staff members concerning management’s requirements, and 
provide management with a framework to formally assess internal 
controls; 

• Maintaining adequate telephone extension inventory records to 
ensure that all calls can be accounted for and that the campus is 
not paying for equipment that it does not own; 

• Monitoring telephone activity for misuse or fraud, including 
limiting or blocking calls to high risk area codes, such as the 809 
area code (Caribbean), as statistics show that 50 percent of all 
toll call fraud is associated with calls to the Caribbean; 

• Limiting access from outside lines, to reduce the risk that 
outsiders could fraudulently engage campus systems or that 
en^loyees could use the systems for unauthorized toll calls; and 

• Ensuring that payment is received for all non-State and personal 
calls. 

We visited eight caucus telecommunications departments to determine the 

extent to which campuses have implemented an internal control system. 

At these campuses we determined if internal controls were adequate to 



SUNY System Administration and the campuses are responsible for 
designing and implementing adequate controls over their telecom- 
munications systems to ensure compliance with State regulations 
governing telephone use and to ensure there is no unauthorized use of 
the systems. These controls should include: 
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ensure that the administration and academic departments collect the 
charges for personal long distance calls, as well as telephone charges 
incurred by non-State users of the phone system. We found there are 
varying degrees of control in place among the campuses visited. We are 
particularly concerned with the weak controls over outside access to the 
PBX systems and the level of collections made for non-State and 
personal calls. (Exhibit A summarizes the status of controls for each of 
the eight campuses we visited.) 

Some observations made at the eight campuses include; 

• Three campuses have not established adequate written policies and 
procedures governing telephone use. In responding to our audit 
report, two campuses. New Paltz and Utica, disagree and state 
they have written procedures. However, these procedures are not 
adequate as they are only brief statements regarding personal and 
business calls and do not address issues such as instructions for 
reimbursement of calls, processing of payments and responsibility 
for telephone equipment. We found that two other campuses do 
not periodically distribute their procedures to all phone users. 
Without adequate written policies and procedures and proper 
distribution of such, employees may not be aware of their 
responsibility to pay for personal phone use. 

• Four campuses do not have an adequate inventory of telephone 
extensions. The campuses at Utica, Purchase, Stony Brook and 
Brooklyn, state they have inventories of extensions. However, 
we foimd that none of these campuses had performed verifications 
to determine if the records were reliable. For example, Brooklyn 
began an inventory in January 1995, but many of the departments 
have not verified their inventory records. In addition, at 
Brooklyn, we foimd calls were charged to extensions which were 
not on inventory records. 

• Five canpuses do not periodically monitor telephone use records 
for patterns of abuse and excessive calls. In responding to our 
audit report, two campuses. Purchase and Albany, agree with this 
observation; two campuses, Utica and Cobleskill, disagree, and 
the fifth campus. New Paltz, does not address the issue. The 
two campuses that disagree state that their monitoring consists of 
sending monthly statements to departments to determine if there 
are any inappropriate calls. However, this approach is not 
sufficient as it does not provide a means for identifying unusual 
calling patterns. For example, telecommunications experts 
suggest using specific criteria to monitor phone use such as 



identifying long duration, weekend, late-night and 809 area code 
calls. Other SUNY campuses are using these criteria to produce 
reports for use in monitoring telephone use. 

• Five campuses do not block calls to the “high-risk” 809 area 
code, and one of these campuses has no restrictions over calls to 
900 area codes. We formd three calls made to 900 numbers that 
a campus paid for, including one to a CHAT line. Three of 
these campuses. New Paltz, Purchase and Utica agree. The 
campus at Stony Brook states that it has compensating controls 
and the campus at Albany states that blocking calls is not 
warranted. Telephone experts suggest blocking calls to high risk 
area codes as a great deal of telephone fraud involves these 
codes. This type of control is much more effective as it prevents 
problems from occurring rather than identifying problems only 
after they have occurred. 

• Some campuses have assigned personal identification numbers to 
each faculty and staff. This establishes accountability for long 
distance calls. Other campuses allow open access to the faculty 
and staff phones. These campuses have decided that convenience 
and easy accessibility outweigh the risks of not using personal 
identification numbers. 

• Four campuses do not limit access to their PBX systems from 

outside lines. Two of these campuses, Cobleskill and Purchase 
state they have adequate restrictions. The campus at Albany 

states that this level of restriction is not necessary and the 
campus at Brooklyn does not address the issue. All of these 
campuses allow their telephone vendor access to their system via 
a switch which is left open 24 hours a day. We believe that 
keeping this switch open creates an uimecessary risk as it is 
possible to gain access through this switch. Other campuses, 
such as Plattsburgh, keep the switch closed unless they determine 
that the vendor needs access. They believe that keeping the 
switch open creates a weak link in their system. 

Without adequately safeguarding the remote access units, there is 
increased risk that someone can gain unauthorized access to the 
telephone system. For example, during the three-month period 
we examined, we found that one campus was billed $875 for 
1,109 calls for which the campus could not identify the source. 

• One campus that allows collect calls is unable to identify their 
purpose, be it business, personal or non-State related. For 
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example, the campus accepted and paid for four calls from the 
809 area code. Officials could not identify who accepted the 
calls, as the extension was in a public area. 

• One campus has not collected for telephone usage from non-State 

and personal calls. Other campuses have collected for only a 
portion of these types of calls. 

These conditions indicate that, to varying degrees, the campuses have not 
established adequate internal controls over their telephone systems. We 
believe the weaknesses that we identified may exist at other SUNY 
campuses as well. Furthermore, we believe that the inconsistencies in 
the levels of control exist in part because SUNY System Administration 
has not provided necessary direction to the campuses. 

SUNY System Administration is viewed as a control point in the SUNY 
system, providing oversight and a wide range of functions. In its 
oversight capacity, SUNY System Administration offers guidance and 
assistance to various campus-based offices with similar functions. SUNY 
has developed a number of detailed procedures to assist the campuses in 
performing the various functions. However, we found that SUNY 
System Administration, in contrast to other operations, has not estab- 
lished any guidelines, policies or procedures to assist campuses in the 
admiiiistration of their telephone systems. Each campus has established 
its own control system and is responsible for monitoring telephone 
activity. In comparison, the Office of General Services (OGS), which 
is responsible for telecommunications in most State agencies, monitors 
telephone activity for State agencies on a daily basis. 


Personal Phone 
Usage 


Agencies are responsible for collecting payment for all non-State and 
personal calls. Seven of the eight campuses we visited have a system 
for identifying non-State and personal calls. However, these systems 
vary, as some campuses utilize specific control codes to identify personal 
calls; other campuses rely on the honor system to identify personal calls. 
The eighth campus has no system to identify personal or non-State calls 
and makes no effort to collect payment for these calls. 

Whether or not a campus seeks reimbursement for personal telephone 
calls depends on the attitude of its upper management. We found that 
in most cases the telecommunications departments are doing their part in 
providing the billing information to each department and administrative 
entity. However, some campuses are not enforcing the New York State 
Accounting System User Procedure Manual requirement to collect for all 
personal long distance telephone calls. This, coupled with SUNY System 
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Adinimstration’s lack of oversight and guidance on payment for personal 
calls by faculty and staff, increases the chance that the State is paying 
for non-State and personal calls. In responding to our audit report, the 
campuses stated that they are making reasonable efforts to pursue 
collection for personal calls and that they will reinforce the reimburse- 
ment requirement with employees. However, we believe that the 
campuses can do more than just reinforce current requirements. 
Improving controls and monitoring of phone use should result in a 
reduction of improper phone calls and an increase in collections for 
personal phone use. 

As part of our review, we obtained detailed calling records for a 
three-month period from five of the campuses we visited. During this 
three-month period these campuses made 560,708 long distance phone 
calls at a cost of $476,123. Using criteria published by the Institute of 
Internal Auditors and through discussions with telecommunication 
specialists, we reviewed the types of calls made from each extension. 
Based upon the types of calls made, we selected a judgmental sample of 
extensions for each campus. Following are the criteria we used when 
selecting extensions for review: the total number of long distance calls 
made from each extension during the three-month period; international, 
late-night, weekend and long duration (over 30 minutes) calls; and calls 
to the 809 area code. The calls made from each of the extensions 
chosen for our review met at least one of our criteria. In total, we 
selected 5,705 (one percent of total) long distance calls which cost 
$13,620 (three percent of total). Although many other calls met our 
criteria, we were unable to review additional extensions because of the 
large volume of calls. Of the calls reviewed, $2,512 (18 percent of 
sample) was identified as personal calls by the campuses. Prior to our 
audit only $700 had been collected for these calls. An additional 
$2,153, including amounts collected for calls not included in our sample, 
was collected during the audit. 

Some of the results of our review of the phone calls made from specific 
extensions on each of the audited campuses are as follows: 

• Some of the campuses could not produce documentation to 
support that the calls, which they identified as personal in nature, 
had ever been paid for. 

• One campus provided us with documentation to support payment 
of 526 of the 528 calls that had been identified as personal as a 
result of our audit sanqile. These were telephone calls that were 
made in October, November and December 1994. However, 
these calls were not paid for until after we sent our request, in 




7 



May 1995, for an explanation of the calls. In fact, one of the 
receipts contained the words "audit response." 

• One individual made 24 calls to two different numbers in China 
over the three-month review period. These were personal calls 
that the individual had not paid for prior to our audit. After our 
visit to the campus, the individual submitted a check for $1,100 
to cover the cost of his calls. 

• At another campus it appears that some of the calls identified as 
State business may have been personal in nature. For example, 
one individual made 42 calls to a number in Goshen, New York, 
over the three-month period we reviewed. This individual 
identified the calls as State-related business calls, but did not 
provide any further details. We found, using the phone number 
identifier software that the College telecommunications department 
owns, that the number belongs to the individual’s former 
employer. It appears that these are personal calls that should be 
reimbursed by the individual. 

• One campus requires employees to dial a special code before they 
make any personal calls. According to campus officials, they 
assume that there are no other personal calls made other than 
those identified by the special code. However, we found that a 
number of calls made from the extensions we selected were on 
weekends, holidays and late at night. An example of this is the 
phone extension in the Family Medical Conference room, from 
which calls were made to the same number in Texas 3 times, 
Connecticut 15 times, and Puerto Rico 15 times, either late at 
night or early morning, weekends, and Christmas Day. It is 
highly unlikely that these calls were for hospital business. 
Campus officials stated that phone use from this extension is now 
restricted during non-business hours and employees have been 
reminded that the State must be reimbursed for any personal 
calls. 
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Recommendations 

1 . Ensure that the campuses correct the control weaknesses detailed 
in the body of the report and summarized in Exhibit A. 

2. Ensure that the campuses pursue collection of personal calls 
identified during the audit. 

3. Consider developing and issuing directives for campuses to 
follow in establishing adequate safeguards over their telephone 
systems. 

SUNY officials disagree with this recommendation. They state 
that as a result of their recent initiative entitled “Rethinking 
SUNY” they are less controlling of campus financial operations 
and the campuses are empowered to directly manage their 
financial affairs. They also state that the guidelines developed 
by the Division of Budget are sufficient. 

This response is inconsistent with recent actions taken by SUNY 
System Administration. For example, in responding to an audit 
in April 1996, SUNY officials stated that they would prepare an 
internal control bulletin to be submitted to all campuses advising 
them on advance account funding. Therefore, SUNY System 
Administration continues to provide assistance through the use 
of directives. Our audit recommendation does not require that 
SUNY exercise more direct control over campus operations. 
Rather, we ask SUNY to consider providing direction to 
campuses who have not established adequate safeguards. 
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SUNY TELEPHONE SYSTEMS 

SUMMARY OF INTERNAL CONTROLS AT SELECTED CAMPUSES 



Campus 

Location 


Written 

Procedures 


Inventory of 
Extensions 


Use of 
Monitoring 
Reports 


Blocking 

Area 

Codes 


Use of 
PIN 

Numbers 


Security 

Over 

Access 


Collecting 

Non-State 

Costs 


Albany 


GOOD 


GOOD 


WEAK 


NO 


NO 


WEAK 


SOME 


Brooklyn 


GOOD 


WEAK 


GOOD 


YES 


NO 


WEAK 


SOME 


Cobleskill 


GOOD 


GOOD 


WEAK 


YES 


YES 


WEAK 


SOME 


New Paltz 


NONE 


GOOD 


WEAK 


NO 


SOME 


GOOD 


SOME 


Plattsburgh 


GOOD 


GOOD 


GOOD 


YES 


YES 


GOOD 


SOME 


Purchase 


NONE 


WEAK 


WEAK 


NO 


SOME 


WEAK 


SOME 


Stony Brook 


GOOD 


WEAK 


GOOD 


NO 


SOME 


GOOD 


SOME 


Utica 


NONE 


WEAK 


NONE 


NO 


NO 


GOOD 


NONE 
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State University of New York 
Controls Over Telephone Systems 
at Selected Campuses 
95-S-59 



SUNY System Administration 



Our comments regarding the specific recommendations are as follows; 



(OSC) 


1. 


Ensure that the campuses correct the control weaknesses detailed in the body of the 
report and summarized in Exhibit A. 


(OSC) 


2. 


Ensure that the campuses pursue collection of personal calls identified during the 
audit. 


(SUNY) 


1,2. 


The draft report has been shared with the campuses and their responses are included 
in this response. 


OSC) 


3. 


Consider developing and issuing directives for campuses to follow in establishing 
adequate safeguards over their telephone systems. 


(SUNY) 


3. 


We have considered the recommendation and we do not see a necessity to develop 
and issue such directives. 



We note that on page 3 of the draft report, the following statement is made: 

(OSC) Division of the Budget (DOB) guidelines require that State-furnished 
telephone equipment and services be used solely for the performance of 
official State business, except in an emergency. In addition. Volume XI, 

Section 7.0300 of the New York State Accounting System User Procedure 
Manual requires that agencies collect the amount of all toll charges for all 
personal long distance telephone calls. We found that many of the campuses 
we visited have weak internal controls and that reimbursement is not made 
for many of the personal calls. 

Thus, the report clearly states there are guidelines edready in place but there were instances where 
compliance with the guidelines could be improved. 

SUNY System Administration is in the process of restructuring and downsizing and will become 
smaller and more efficient In response to the Legislative charge to State University of New York 
(Chapter 82, Laws of 1995), the Board of Trustees issued Rethinking SUNY, on December 1, 1995. 
Rethinking SUNY cak\s for “a more focused system office which is more responsible for policy and 
monitoring educational results than for processing and which is less controlling of campus 



operations”. The Preface of the report states: “Underlying Rethinking SUNY is the theme of 
increasing efficiency by empowering campuses to directly manage more of their academic and 
financial affairs...”. 

Given the direction called for in "Rethinking SUNY”, and the fact that procedures are already in 
place, we disagree with the thrust of the report, namely that System Administration should have 
more involvement in campus telephone systems. 



Specific Cam nns Responses 

State University of New York Institute of Technology at Utica/Rome Comments 

During the audit period April 1, 1993 - August 31, 1995, the responsibility for campus 
telecommunications was reassigned from the Information Services Department to the Facilities 
Department. The Suiranary of Internal Controls (Exhibit A) reflects the performance of the campus 
in each area prior to the reassignment in May of 1994. Since that time, these areas have been 
strengthened. The following are specific responses to each of the areas in the Summary of Internal 
Controls and the auditors' three recommendations. 

Written Procedures 

A written policy was promulgated by the Vice President for Administration on January 19, 1995 as 
Campus Bulletin 95-1, which reaffirmed that campus telephones are for University business. Also, 
a statement was included in each monthly bill sent to campus unit heads which further clarified the 
responsibility for employees to reimburse the Institute within one month for any personal telephone 
calls. 



Inventory of Extensions 

When the resissignment of campus telecommunications responsibility was made in May 1994, a 
complete inventory of the campus telecommunications equipment was conducted. Since then an 
inventory of telephone extensions and associated equipment has been maintained in a databeise and 
is updated whenever changes occur. This database is in agreement with the PBX records and is the 
basis for the campus telephone equipment recharges and charges to non-state users. 

Use of Monitoring Reports 

The Campus purchased new software in Jxme of 1994 which enabled the accurate costing of all 
telephone calls ori ginating finm the Campus. On July 1, 1994, Facilities reestablished the procedtue 
of distributing monthly telephone statements to the campus unit head for review and appropriate 
action. The Teleconmumications Specialist audits all of the call records for compliance with 
established procedures prior to preparing billing statements and initiates appropriate fictions when 
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Blocking Area codes 

Since June 1 , 1 995, the PBX blocks all 900 and certain 800 calls which revert to 900 calls. Constant 
surveillance has been maintained to block new 800 numbers which revert to 900 numbers. Also, all 
international calling was blocked. International calling is now permitted only upon approval by the 
^propriate Dean, Director, or Vice President and then must be used with a PIN to identify the caller. 

Use of Pin Numbers 

Since Jime 1, 1995, PIN numbers are routinely used for international calling access and by student 
workers with access to campus telephones. Unit heads have been notified that PIN numbers are 
available for their use and some unit heads have elected to assign PIN numbers to employees to aid 
in controlling telephone usage where there are multiple users of the same extension. 

Security Over Access 

No Response. 

Collecting Non-State costs 

In accordance with the New York State Accounting Systems User Procedures Manual, the 
Utica/Rome campus policy states that State furnished "telecommunications equipment and services 
are for University business use only." Pay telephones are provided for employee use. Personal 
cellular phones and personal calling cards are permitted. In all known cases of telephone abuse and 
personal emergency calling, restitution is actively pursued. 

Since the reestablishment of the monthly telephone statements in July 1994, all non-state entities are 
charged for usage, equipment costs, and a basic service charge. 

Recommendations: 

1 . Utica/Rome will continue to strengthen its controls in each of the areas summarized in Exhibit 
A. 

2. Utica/Rome will continue to monitor and collect for personal telephone calls in accordance 
with the State Accounting system User Procedure Manual, Vol. XI, Section 7.0300. 

3. Utica/Rome has made great strides since May 1994 in controlling the use and the costs 
associated with the telecommunications system. Surveillance will be maintained and additional 
controls will be developed as required. 
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staff! TInivffraitv Cnllcye of Agriculture and Technology at CoMcskiU ComOittita 



We were mentioned in the summary page of internal controls at selected campuses. According to 
our Telecommunications Manager, we do use monitoring reports to track personal calls for 
administration and academic departments. The Telco Office sends monthly details of calls to 
supervisors and asks that they review the listings for patterns which might be personal. We have 
questioned faculty members and have made collections from this monitoring. 

We were also classified as "weak" in the area of security over access. Again, our Telco Office feels 
that they do limit access to our PBX from off campus. Our office feels that it is very unlikely that 
outsiders could gain access to our PBX system in the way we are configured. 



SUNY College at Purchase Commenl a 
Written Procedures 

We agree with the findings. The College realizes the importance of written policies and procedures 
and is currently preparing documentation. 

Inventory of Extensions 

The Telecormmmication Department maintains two databases for inventory of telephone extensions. 
The Inventory database consist of detailed information on each station (extension) such as type of 
line, port number, pair number, division/department extension is assigned to, user’s name, access 
level, building and room number and other minor relevant information. The billing database 
tabulates calls, duration of calls, amoimt and number called by extension and the division/department 
the extension is assigned to. The two databases can be crossed-referenced thus providing the ability 
to identify each extension, location, user and the calls made off-campus by extension. However, the 
weakness may be due to the fact some extensions are shared and a Personal Authorization Code 
(PAC) is not utilized or requested. Also, user names are not always provided in a timely fashion to 
Telecommunications by the department to update the files. This does not prevent identification of 
calls made from any extension. 

Use of Monitoring Reports 

Use of Monitoring Reports - The billing database generates monthly utilization reports. The College 
docs not monitor/screen any calls; the division/department is responsible for all calls made from their 
assigned extensions. The campus relies on the honor system for collection of 
non-business/personal calls. The Telecommunication Office does limited monitoring but does not 
pass judgement on any call and leaves that decision to the department. The Office has a staff of four 
including a technician for installations and repairs. The implementation of a monitoring system 
would require additional staff. 
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Blocking Area Codes 

Blocking Area Codes- The College has established access levels, as noted in previous 
correspondence. These access levels are area code restrictions. Access to the 900 area code is 
blocked system wide. There are 1 1 1 7 extensions for division/department use on campus; of this 277 
or 25% have access to the 809 area code. The access level of an extension is authorized by the 
division/department head. Third party and collect calls are not allowed or accepted by the College. 

Use of PIN Numbers 

Use of PIN Numbers - Some offices where phone lines are shared by multi-users employ the PIN 
a ccess We encourage departments to use PINs for tracking personal use but this decision rests with 
the division/department head. Personal judgement is an important factor even when a user has a 
separate PIN code for business and personal calls, ultimately, reverting back to a modified “honor 
system”. 



Security Over Access 

Security Over Access - We interpret this to mean access to the PBX switch by external dial-in or on 
campus access. The only source with remote dial c^ability to our switch is the Telecommunication 
maintenance contractor. There are three (3) campus persormel who have access but must be on 
campus to do so. Access is granted after passwords have been matched. We have had no violation 
in the past seven years. 

Collecting Non-State Cost 

Collecting Non-State Cost - The campus relies on the “honor system” for collection of personal calls. 
The caller must identify personal usage from the monthly extension billing. 

While we understand the significance of the weaknesses sighted, it is not clear to us how some 
determinations were made. All the reports produced by the system databases (billing and inventory) 
were provided and explained to the OSC audit team. 

In summary, we disagree with the ratings for inventory of extensions, blocking area codes and 
security over access. We agree on the lack of written procedures, use of monitoring reports, use of 
PIN numbers and collecting non-state costs. 



SUNY College at New Paltz Comments 
Written Procedures 

We disagree that SUNY New Paltz does not have written procedures. The Faculty and Staff 
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Directoiy, which is issued annually at the beginning of the fall semester, contains the following 
paragraphs on the first page. 



“Business and Personal Calls 

All telephone calls which are necessary to accomplish your job or professional activities are 
business calls. A call to home to indicate that you must work late because of unscheduled 
overtime or unanticipated need is a business call. 

Any other call, local or long distance, is a pereonal call. Included are calls related to family 
or friends, day care, personal banking, investment counseling, medical or dental appointments, 
or home services, such as electricians, plumbers, or carpenters. 

If you make personal calls, you must obtain a Personal Billing Number (PBN) fiom the 
Telecommunications Office, HAB 40. This seven digit code ensures that you will receive a 
separate bill each month for your personal calls. They will not appear on the departmental 
telephone bill. 

The PBN may be used from any campus telephone except emergency telephones. The cost per 
call is less than using a credit card or coin telephone.” 

In addition, we insert a reminder each month with every departmental extension telephone bill. For 
example, the April 1 , 1996 bill insert was: 

“If you make personal calls, you must obtain a Personal Billing Number (PBN) from 
Telecommunications. All calls necessary to accomplish your job or professional activities are 
business calls. A call home to indicate that you must work late because of unscheduled 
overtime is a business call. 

Any other local or long distance call is a personal call. Included are calls made to family or 
friends, day care providers, or for personal banking, investment counseling, medical or dental 
appointments, etc. We bill over $1,000 a month in personal calls to faculty and staff.” 



We currently block all calls to 900 numbers and all incoming collect or third party calls. We do not 
block calls to the 809 (Caribbean) area code. This could be considered discriminatory. We do 
monitor calls to all area codes and are confident we are able to detect possible abuse. 



Blocking Area Codes 
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Use of PIN Numbers 



All emergency telephones are restricted to on-campus calling only. All telephones in public areas 
are restricted, but a faculty or staff member may make local or long distance calls if he or she uses 
a PIN number. 

Collecting Non-State Cost 

Although efforts to collect non-State costs can always be improved, we believe that SUNY New 
Paltz is making every reasonable effort. For the period January - December 1995, for example, we 
billed over $2 1 ,200 to faculty and staff for personal calls or an average of over $ 1 ,700 per month. 

State University of New York at Stonv Brook Comments 

Telephone Extension Inventory 

The Comptroller’s observation concerning our telephone extension inventory is the result of a timing 
difference between the time period covered by the audit and the date that the audit work was 
performed. Our extension inventory is updated on an ongoing basis in two ways: 

• We periodically query our PBX to identify all extensions, and; 

• We update the inventory on a daily basis when calls are identified with an extension not 
listed in the database. 

Blocking of High-Risk Area Codes 

System-wide blocking of international area codes, as suggested in the audit, is not feasible for two 
reasons; first, many of our students come from outside the United States (including the Caribbean) 
and therefore need the capability to make international calls. Second, as a research university many 
of our faculty and staff also require this capability to perform their jobs. 

System-wide blocking of this capability is not the only way to achieve the objective of controlling 
access and limiting exposure to inappropriate use of international calling. In fact, we implemented 
the following controls to compensate for this: 

• Administrative Telephones 

riasiQ nf Service Control : We control international calling capabilities through classes of service 
rather than global blocking. Units and individuals who require this capability are granted it through 
their class of service; those who do not are blocked. 

Use of Reports to Monitor Call Activity : The Comptroller's findings indicate that we make effective 
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use of reports for monitoring telephone activity. As part of its regulM operations, our 
telecommunications office monitors the use of international calls by reviewing system reports 
detailing: call records from the 809 area code and all 900 calls. 

• Resident Student Telephones 

T Tsft nf Private Tontractor : We have entered into a contract with a private company to administer our 
resident student telephone billing. The company grants international calling capability only to 
students who indicate a need for it. In addition, our contract >vith this wmpany limits the 
University's exposure by making the company responsible for any unpaid student accounts 

receivable. 

Use of PIN Codes 

In our response to the Comptroller's preliminary findings, we questioned the feasibility or necessity 
of assigning PIN codes to each faculty/staff member. In particular we feel that secured offices 
reduce the need for such controls, that PIN Codes are not feasible for certain categories of employees 
and that, given the number of users and the size of our System, expanded use of these codes would 
overwhelm the capacity of our existing PBX. 

As we upgrade our PBX, we are encouraging the selective use of PIN codes in high-risk locations 
and for classes of employees where we consider them to be a useful control mechanism. 

Personal Phone Use 

This campus makes reasonable efforts to comply with the requirements of Voluine XI, Section 
7.0300 of the New York State Accounting System User Procedure Manual that requires agencies to 
collect the amount of all toll charges for all personal long distance telephone calls. 

We believe that the special code implemented to identify personal phone calls, the detailed billirigs 
provided to department heads, the monitoring of phone use by department heads and Ae payment 
inprhanigm*; we have established constitute reasonable efforts to comply wiA this requirement and 
that additional efforts in this area are not likely to be cost beneficial. We will, however, reinforce the 
reimbursement requirement wiA employees. 

The auditors noted one extension in Ae Hospital where calls were made at what Aey considered to 
be non-business hours and questioned wheAer Aey were related to hospital business. This was an 
isolated occurrence and department management has taken steps to secure Ae extension questioned. 

Recommendations: 

1 . We believe that we have sufficient compensating controls in place to address Ae absence of 

Ae specific types of controls cited by Ae Comptroller. 
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2. There were no such calls cited in the Comptroller’s draft report that relate to Stony Brook. 



State University of New York Health Science Cen ter at Brooklyn Comments 
Recommendation 

1. The Health Science Center at Brooklyn agrees with the recommendation that the campus 
correct any actual control weaknesses but disagrees with the report’s identification of such 
weaknesses as they occur at this campus. Two areas of disagreement exist: 

• Inventory of Extensions - All telephone extensions are reviewed periodically by both 
departmental and Teleconununications office personnel. 

• Use of PIN numbers - Some departments at the Health Science Center utilize PIN 
numbers. The Health Science Center is evaluating the use of PIN numbers in other 
departments. 



State University of New York at Albany Comments 
Use of Monitoring Reports 

We agree in part Of the reports produced by the State University Construction fund, some warrant 
review on a regular btisis and others, because of their particular content, do not. We will undertake 
to review the relevant reports on a regular basis. Further, it should be noted that the new 
Telemanagement system which will be provided per the terms of the contract with our 
telecorrununications vendor will allow the University to obtain a set of management reports 
explicitly tailored to our needs, and those reports, when they become available, will be regularly 
reviewed as an integral part of our system management routine. 

Blocking Area Codes 

The University at Albany has always allowed international calls to be made from any extensions 
hav ing long distance calling capability. To date, that has not caused a problem of note. 
Furthermore, the number of classes of service available in the NEAX 2400 system is limited. 
Hav in g considered the recommendation, the University has determined that blocking international 
calls or establishing a separate class of service is not warranted. 

Use of PIN Numbers 

The routine use of personal authorization codes for extensions that are fully charged to one accoimt 
ofiers little practice value. These phones are in areas that are provided with administrative or staff 
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oversight and, like other assets, they are the responsibility of the respective department to protect 
from unauthorized use. Thus, the imposition of the use of authorization codes is unwarranted for 
those extensions. 

For extensions having multiple funding sources, the use of authorization codes would facilitate the 
billing and rebilling of call charges to appropriate departmental accoimts. For example, an extension 
from which calls are made that may he paid for by either a State account or a grant, the option to 
Hpgignatp a call to be charged to one account or another - at the time of the call - would be a prime 
for use of an authorization code. Toward this end we are actively evaluating the limited 
use of authorized codes. 

Security Over Access 

We disagree with the specific recommendation. The University has contracted with a vendor for the 
provision of communication services to the resident student population, as well as the operational 
maintenance of the telephone systems. By design, the University’s telephone system provides for 
remote monitoring. The contract stipulates: 

‘‘It is essential that the University and the organization maintaining the telephone 
system(s) have the capability to test all portions of the system(s) quickly and easily. This 
capability shall be used to provide quality assurance, help in preventive maintenance, 
trouble shooting circuit availability verification, and record keeping.” 

Blockage of the remote ports as recommended in the audit report would be contrary to the explicit 
intent of the contract. Not only would it prohibit the vendor’s ability to provide the level of services 
required, but would also deprive the University effective and timely management of the system. On 
the other hand, the enhanced use of callback modems is in the interest of the University at Albany 
and as such was established as a requirement of the contract. Accordingly, we are actively engaged 
in oversight of the installation of callback modems. Thus when combined (passwords with multiple 
callback modems) a significant level of security is achieved. 

Collecting Non-State Costs 

The University at Albany has had a written policy governing the use of telephone equipment for a 
munber of years. We will, however, reiterate and disseminate the University’s policy on use of 
telephone equipment with greater frequency than has heretofore been the case. 

We agree that employees should reimburse the State for personal phone calls, and that is indeed the 
policy of the University. As noted above, we will periodically remind department managers of their 
responsibility to oversee and manage the use of telephones assigned to their departments and their 
responsibility to ensure that the cost of personal phone calls be reimbursed to the State. 
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